Facebook, Microsoft release NSA stats to reassure users

In an effort to reassure users, Facebook discloses it has received legal orders to turn over details on about one-thousandth of one percent of user accounts. So does Microsoft, and Google plans to do the same.

Washington State Attorney General Rob McKenna and Facebook General Counsel Ted Ullyot, in a file photo.
Jay Greene/CNET

Facebook and Microsoft on Friday became the first Internet companies to disclose the total number of legal orders they receive for user data, including ones from the National Security Agency and from state, local, and federal police performing criminal investigations.

The total for Facebook: About 18,000 accounts over a six month period, or one-thousandth of one percent of user accounts.

Microsoft's total was about 31,000 accounts over the same six month period ending December 31, 2012. A Google representative told CNET this evening that the search company is working on disclosing the same type of statistics, and plans to be more detailed than Microsoft and Facebook.

That caused near-panic among the more privacy sensitive users of Web-based e-mail and social networks and led to speculation about whether the NSA was secretly vacuuming billions of user profiles. Even after the two newspapers, The Washington Post and the Guardian backed away from their incendiary initial claims, and even after Facebook CEO Mark Zuckerberg and Google CEO Larry Page offered blanket denials, the companies asked the government if they could clear their name about the number of requests they receive under the Foreign Intelligence Surveillance Act, or FISA.

This evening's disclosures from Facebook and Microsoft are the result. Ullyot wrote in a blog post that:

We're pleased that as a result of our discussions, we can now include in a transparency report all U.S. national security-related requests (including FISA as well as National Security Letters), which until now no company has been permitted to do. As of today, the government will only authorize us to communicate about these numbers in aggregate, and as a range. This is progress, but we're continuing to push for even more transparency, so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds.

For the six months ending December 31, 2012, the total number of user-data requests Facebook received from any and all government entities in the U.S. (including local, state, and federal, and including criminal and national security-related requests) was between 9,000 and 10,000. These requests run the gamut -- from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat. The total number of Facebook user accounts for which data was requested pursuant to the entirety of those 9-10 thousand requests was between 18,000 and 19,000 accounts.

With more than 1.1 billion monthly active users worldwide, this means that a tiny fraction of one percent of our user accounts were the subject of any kind of U.S. state, local, or federal U.S. government request (including criminal and national security-related requests) in the past six months. We hope this helps put into perspective the numbers involved, and lays to rest some of the hyperbolic and false assertions in some recent press accounts about the frequency and scope of the data requests that we receive.

Microsoft's blog post from John Frank, vice president and deputy general counsel, says:

For the six months ended December 31, 2012, Microsoft received between 6,000 and 7,000 criminal and national security warrants, subpoenas, and orders affecting between 31,000 and 32,000 consumer accounts from U.S. governmental entities (including local, state, and federal). This only impacts a tiny fraction of Microsoft's global customer base.

We are permitted to publish data on national security orders received (including, if any, FISA Orders and FISA Directives), but only if aggregated with law enforcement requests from all other U.S. local, state, and federal law enforcement agencies; only for the six-month period of July 1, 2012, thru December 31, 2012; only if the totals are presented in bands of 1,000; and all Microsoft consumer services had to be reported together.

A Google representative provided CNET with a statement this evening saying it wants to be even more transparent: "We have always believed that it's important to differentiate between different types of government requests. We already publish criminal requests separately from National Security Letters. Lumping the two categories together would be a step back for users. Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately."

During a congressional hearing Thursday, FBI Director Robert Mueller declined to respond to questions about lifting the gag order applying to tech companies. "I think that's being looked at by Justice at this point," he said.

Google, Apple, Yahoo, Microsoft, Facebook, and other Internet companies were left reeling after a pair of articles on Thursday alleged that they provided the National Security Agency with "direct access" to their servers. By late Friday, however, CNET reported that was not true, and The Washington Post backtracked from its original story on PRISM. So did the Guardian. In an editorial Tuesday, the paper said the process met legal "standards" and was subject to "judicial review."

Google already releases many statistics about government surveillance as part of its transparency report, including, as of March, information on secret National Security Letters sent by the FBI. But a source familiar with the situation told CNET earlier this week the company had not secured permission to disclose summary statistics about secret FISA orders.

James Clapper, the head of national intelligence, confirmed last week that the Internet companies were receiving legal orders sent to them "pursuant to Section 702 of the Foreign Intelligence Surveillance Act."

After the Foreign Intelligence Surveillance Court limited a Bush-era warrantless surveillance program's scope, Congress enacted the FISA Amendments Act, which established a new procedure for foreign surveillance.

Section 702 requires that the government obtain the secret Foreign Intelligence Surveillance Court's approval of "targeting" and "minimization" procedures, and that the court review the agencies' certification describing how proposed surveillance techniques will comply with the law. Judges must consider whether the targeting procedures are "reasonably designed" to exclude Americans and purely domestic surveillance.

Amnesty International and journalists launched a legal challenge to Section 702 (which is sometimes called 1881a, for its location in the law books). They argued their confidential communications with foreign correspondents would be intercepted under Section 702 in violation of the Fourth Amendment. But in February 2013, the U.S. Supreme Court rejected their challenge by a 5-4 vote, with Justice Samuel Alito writing that their allegations were too "speculative" and that the Section 702 process is subject to ongoing "oversight" and "review."